The ultra-simple setup offered by Chromecast leaves them vulnerable to being hijacked, with an attacker able to direct any content they want to your TV, says a security analyst – who proved the point by building a box to Rickroll any Chromecasts within wifi range …
The key to Chromecast’s painless configuration is that it goes into setup mode as soon as it finds itself without a wifi connection. It’s this feature which the attack exploits. TechCrunch summarized the 20-minute video in which Dan Petro explains how the hack works.
- The WiFi standard has something called a “deauth” command built-in, which tells a device that it needs to leave the network and try to reconnect
- For one reason or another, this command is sent to a device without encryption… which means it can also be sent from devices that aren’t actually allowed on the network. That’s not a Chromecast bug; it’s a fairly universal quirk of WiFi devices. Most devices just go “Okay, whatever” and instantly reconnect.
- The Chromecast, however, responds to the deauth command by going back into configuration mode. It starts broadcasting its own WiFi, which you — or a prankster — can connect to to configure the device.
- The Rickmote, built on top of a Raspberry Pi, finds a Chromecast, floods it with deauth commands, then tells it to connect to its WiFi network, instead. Tada! Chromecast hijacked
Wifi networks are pretty short-range, so an attacker would have to be pretty close to your home to pull this off, and could only hijack a handful of Chromecast sticks at any one time. For that reason, it’s unlikely to be a massive concern, but the potential for targeted malicious attacks is there – especially as the source code is on GitHub. (Which has an amusing Rickroll of its own in the More information section.)